Trojaned Networking Tools

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at trojaned networking tools; a new version of OpenSSH; buffer overflows in fetchmail, mnews, Debian Solaris Netstd, Informix, and BannerWheel; and problems in dhcpd, Sendmail, Solaris' rwalld, and FreeBSD's rc.

On May 17th, 2002, the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tar files on monkey.org were replaced with versions that included trojan back door code. This was discovered and the system was restored a week later. Monkey.org has taken steps to increase their security and has installed OpenBSD-current.

Anyone who downloaded one of these packages during this time period should disable the package, if it was installed, and replace it with a new version. It is also recommended that anyone running a version that was downloaded during this time period check their system carefully for any sign that their system has been cracked.

dhcpd, a daemon that provides Dynamic Host Configuration Protocol (DHCP) support, is vulnerable to a format-string-based attack that can be used by a remote attacker to execute commands with the permissions of the user running dhcpd (often root). The format string vulnerability is in the portion of the code that deals with the DNS update feature. Under SuSE Linux, dhcpd is not installed in the default installation, but if installed will execute as root. Under Mandrake Linux, the daemon runs as root except under version 8.x, where it runs as the dhcp user.

Affected users should upgrade to the latest dhcpd package as soon as possible. Users can disable the DNS update feature in dhcpd by adding the following lines to the dhcpd configuration file:

OpenSSH version 3.2.3 has been released. This version corrects a problem on OpenBSD and BSD/OS systems using Yellow Pages that can, under some conditions, result in the database entry of a different user being used during authentication. This problem could cause a user that has been denied access to be allowed to log in, and an authorized user to not be allowed to log in. Also fixed in this release are problems with login/ttys under Solaris and build problems on Sygwin systems.

Sendmail is vulnerable to a denial-of-service attack using a problem in flock() or fcntl() file locking. This vulnerability can be exploited in a denial-of-service attack by a local user who opens and locks certain files used by Sendmail. The user that is locking a file and causing a denial-of-service attack can be determined by using a tool such as lsof. Files that can be used in a denial-of-service attack against Sendmail include: aliases, maps, statistics, and the pid file.

Users can protect their Sendmail installation by modifying file permissions so that users on the system can not open the affected files.

The rwalld daemon that is distributed with Solaris is vulnerable to a format string attack that may, under some conditions, be exploited by a remote attacker to execute code with the permissions of the user running rwalld. This vulnerability has been reported to affect Solaris versions 2.5.1, 2.6, 7, and 8.

mnews, an email and news client, is vulnerable to buffer overflows and can be exploited by a local (or, in some cases, remote) user to execute arbitrary code (often as group mail). This vulnerability is reported to affect version 1.22.

Netstd is a legacy set of network daemons and applications that has in the past been distributed with Debian Linux. It has been reported that there are buffer overflows in several applications in Netstd that can be exploited by a remote attacker who controls a name server. This package was distributed as part of the Debian Potato release, but is reported to not be distributed with the Woody release.

A buffer overflow has been reported in Informix that can be exploited by a local attacker to obtain root permissions. This buffer overflow is reported to affect Informix version SE-7.25 under Linux, but may affect other platforms.